import CS nginx-1.20.1-22.el9

2025-03-11 07:50:58 +00:00 · 2025-03-11 07:50:58 +00:00 · ce0040fe25
commit ce0040fe25
parent eaaa05c522
3 changed files with 68 additions and 11 deletions
--- a/SOURCES/nginx-1.20.1-CVE-2025-23419.patch
+++ b/SOURCES/nginx-1.20.1-CVE-2025-23419.patch
@ -0,0 +1,45 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 684fabd..404aa77 100644
+--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
+@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
--- a/SOURCES/nginx.sysusers
+++ b/SOURCES/nginx.sysusers
@ -0,0 +1,3 @@
+#Type Name     ID             GECOS                 Home directory Shell
+g nginx -
+u nginx - "Nginx web server" /var/lib/nginx /sbin/nologin
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           20%{?dist}
+Release:           22%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -62,6 +62,7 @@ Source13:          nginx-upgrade
 Source14:          nginx-upgrade.8
 Source15:          macros.nginxmods.in
 Source16:          nginxmods.attr
+Source17:          nginx.sysusers
 Source102:         nginx-logo.png
 Source103:         404.html
 Source104:         50x.html
@ -100,6 +101,9 @@ Patch8:            0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-40075
 Patch9:            0010-Optimized-chain-link-usage.patch

+# upstream patch - https://issues.redhat.com/browse/RHEL-78236
+Patch10:           nginx-1.20.1-CVE-2025-23419.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -134,9 +138,9 @@ Recommends:        logrotate
 Requires:          %{name}-core = %{epoch}:%{version}-%{release}

 BuildRequires:     systemd
-Requires(post):    systemd
-Requires(preun):   systemd
-Requires(postun):  systemd
+BuildRequires:     systemd-rpm-macros
+%{?systemd_requires}
+
 # For external nginx modules
 Provides:          nginx(abi) = %{nginx_abiversion}

@ -176,7 +180,7 @@ Meta package that installs all available nginx modules.
 %package filesystem
 Summary:           The basic directory layout for the Nginx server
 BuildArch:         noarch
-Requires(pre):     shadow-utils
+%{?sysusers_requires_compat}

 %description filesystem
 The nginx-filesystem package contains the basic directory layout
@ -466,14 +470,11 @@ sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
 ## Install dependency generator
 install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}

-
+# install sysusers file
+install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf

 %pre filesystem
-getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
-getent passwd %{nginx_user} > /dev/null || \
-    useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
-    -s /sbin/nologin -c "Nginx web server" %{nginx_user}
-exit 0
+%sysusers_create_compat %{SOURCE17}

 %post
 %systemd_post nginx.service
@ -574,6 +575,7 @@ fi
 %dir %{_sysconfdir}/nginx/default.d
 %dir %{_sysconfdir}/systemd/system/nginx.service.d
 %dir %{_unitdir}/nginx.service.d
+%{_sysusersdir}/nginx.conf

 %if %{with geoip}
 %files mod-http-geoip
@ -611,6 +613,13 @@ fi


 %changelog
+* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
+- Resolves: RHEL-78236 - nginx: TLS Session Resumption
+  Vulnerability (CVE-2025-23419)
+
+* Wed Feb 05 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-21
+- Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers
+
 * Mon Jul 15 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-20
 - Resolves: RHEL-40075 - nginx worker processes memory leak